Rulings on Class Cert Reveal Vulnerable Areas on Websites That Could Lead to Lawsuits
The reasoning behind court decisions to grant or deny class certification in recent privacy cases serves to show what parts of a website are most open to lawsuits and warn businesses to ensure their privacy policies and practices are up to par, according to two Fisher Phillips blogs.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Frasco v. Flo Health, Inc. alleges a health-tracking app disclosed sensitive health information to third parties without consent. A Fisher Phillips blog from May 30 said the certification of class, granted May 22, “marks a pivotal moment in ongoing litigation concerning the collection and disclosure of personal data and may serve as a bellwether in predicting how courts will address key issues related to data privacy, user consent, and class action waiver enforceability.”
Specifically, the U.S. District Court for Northern California found the class action waiver couldn’t be enforced because it was buried too far into the app's Terms of Service, the lawyers said. The court also ruled that class members had standing even if the information shared was anonymized; according to the blog, it found such unauthorized data collection itself counts as injury. Finally, while there were multiple theories of liability in the case, many of them were based on the possibility of misrepresentations of privacy practices, so “its recurring nature emphasized that a user’s expectations about privacy can be set -- or at least molded -- by the disclosures and representations made to them” in Privacy Policies or Terms of Service, the Fisher lawyers said.
Another Fisher Phillips blog, from June 11, highlights lessons learned from a separate privacy case alleging violations of the California Invasion of Privacy Act (CIPA). According to the blog, the lawsuit claims marketing tech company AddShoppers collects users’ online browsing data without consent and uses it for targeted ads. A California federal judge denied class certification in the case on May 29, the lawyers said, citing several deficiencies.
One of the plaintiffs “failed to show that his detailed browsing data was collected,” and so the court found his testimony lacked credibility and was contradicted by discovery records, ultimately dismissing his claims entirely, the lawyers said. A different plaintiff was viewed as “an atypical class member, which made her inadequate to represent the class,” as she relied on assumptions, had unpersuasive testimony and deleted key browsing history.
Despite the fact that this suit ultimately failed, “a plaintiff with clearer evidence, stronger credibility, and preserved browsing data could succeed.” Accordingly, websites “must preserve their records carefully and be ready to defend how data was collected and associated with users,” the bloggers said. They also suggested implementing privacy-by-design features, vetting third parties and auditing and documenting user consent mechanisms to protect against litigation.